Issues
|
European Union Travel SurveillanceA post-September 11 law in the U.S. included a demand for access to passenger name records (PNR) from foreign carriers. This data would be used to analyse the names and details of all arrivals and departures from the U.S. At first the EU opposed the transfer of this data from EU carriers' reservation databases to the US Department of Homeland Security on grounds that the transfers would be in breach of EU privacy protections that prevented the further processing of this data without adequate safeguards. As time went on, the European Commission grew concerned that it could not continue its opposition to the US plans for access to passenger data. Pressure was rising from EU Member States, and from other sections of the European Commission. The final Communication from the Commission later stated that the agreement was a sound basis for taking forward work on an EU approach to access to this data. That is, the agreement with the US was thus seen as a precursor to a European policy on access to PNR. The EU policy, however, would not be restricted to combating serious crimes and terrorism, but could be used for any law enforcement purpose, including immigration. In September 2005 the UK Presidency of the European Council proposed further use of PNR as a response to the London-terror attacks, leading to an "intelligence-led approach to border control" ( see documentation here). As a result, the UK Presidency of the EU proposed the long-term retention of this data by border security agencies. Registration of MovementA key mission of the EU is to ensure the free flow of people across borders. The EU thus plays a role in the assurances and procedures established to manage border traffic. A significant portion of this activity began with the Schengen Agreement and the establishment of its new practices and systems. The Schengen Information System (SIS) went live in 1995 and was seen as compensation for the removal of internal borders between France, Germany, Luxembourg, and the Netherlands. It permits Member States to obtain information regarding certain categories of persons and property. Member States contribute by adding data on people wanted for arrest, people to be placed under surveillance or subject to specific checks; people to be refused entry at external borders; and lost or stolen items. By 2003 it had files on 877,655 people, a further 386,403 aliases, according to a Statewatch report . As the EU grew a newer system was proposed: SIS II. Additional changes were introduced at this stage to allow for the storage, transfer and querying of biometric data such as photographs and fingerprints. SIS II is set to go live by 2006. Registration of ForeignersIn response to the terrorist attacks in the U.S. in 2001, the EU decided to implement a Visa Information System (VIS). VIS would hold personal information on every visa application to an EU member state including their nationality at birth, grounds for refusal, and links to other applications. It will be a central database that is complemented by national systems that together link border checkpoints of each country. It is being designed to manage biometric data, being photographs and fingerprints. It is expected that by 2007 it will be processing 20 million visa applications anually, which would result in 70 million fingerprints to be stored for five years. The Article 29 Working Party, a committee of privacy regulators across Europe, have raised a number of concerns regarding the proposed measures within VIS -- in particular, the collection of fingerprint data. The Working Party is concerned that the fingerprints could be used for other purposes, and could also lead to a stolen identities. The Working Party recommends that biometric data should not be stored in the central database unless absolutely necessary, but kept only on the microchip on the visa itself. The Working party was particularly concerned with the centralisation of biometrics because the access to the VIS was ad-hoc and wide. Since the London bombings in July 2005 the momentum has grown for additional databases and tracking mechanisms. The UK Presidency of the EU has been calling for a broadening of the access privileges to VIS, permitting law enforcement agencies across the EU to access all data held there. The Presidency is also calling for similar access to the SIS II. The UK Presidency of the EU is also calling for an entry-and-exit registration programme to keep track of those who have entered but not yet left. The use of biometrics is under consideration within a feasibility study due in December 2006 (see documentation on Statewatch website). Passport and IDThe collection of biometrics is not to be limited to visa-applicants. In its interpretation of the ICAO standard on secure passports, the European Council decided in 2003 to develop a shared apporoach on biometric identifiers for documents for third country nationals, European Union citizens' passports, and EU information systems (VIS and SIS II). In February 2004 the European Commission stated its intention to follow through by requiring all EU travel documents to include the biometric of a facial image, and thus to follow the Americans. Member States were permitted to go further by implementing fingerprints as well. Months later the Council of the European Union forced a change in strategy and ordered that both face and fingerprints be made mandatory. The European Parliament opposed the inclusion of fingerprints and rejected the creation of a central database of EU passports and travel documents. The Council ignored this development and called for facial images within 18 months and fingerprints within 36 months. The Council thus ignored the Parliament and adopted the regulation on December 29, 2004. In February 2005 the European Commission announced the schedule and details for the Council's plan. So far, EU documentation points to the inclusion of only two fingerprints on a chip on the passport with Additional Access Control. This means that the data on the chip relating to fingerprint images can only be read by authorised entities.( "EU-Passport Specification", Working Document, available on the Statewatch website ) The details of these security mechanisms remain unclear. Meanwhile the UK Presidency, which began in June 2005 has promised to standardise identity card systems across the EU so that they also include fingerprints. The UK Presidency argued :
The UK Presidency also calls for the verification of identity against a centralised database, even as the UK Parliament continues to debate whether or not to approve the implementation of biometric ID cards. Communications SurveillancePerhaps the most controversial policy being laundered in Europe is the retention of communications traffic data. European institutions have long recognised the value of communications data and its relationship to free expression and the right to a private life. The committee of all the privacy regulators from the EU member states once stated that traffic data was deserving of special attention . A feature of telecommunications networks and of the Internet in particular is their potential to generate a huge quantity of transactional data (the data generated in order to ensure the correct connections). The possibilities for interactive use of the networks (a defining characteristic of many Internet services) increases the amount of transactional data yet further. When consulting an on-line newspaper, the user 'interacts' by choosing the pages he wishes to read. These choices create a 'click stream' of transactional data. By contrast more traditional news and information services are consumed much more passively (television for example), with interactivity being limited to the off-line world of newspaper shops and libraries. Although transactional data may in some jurisdictions receive a degree of protection under rules protecting the confidentiality of correspondence, the massive growth in the amount of such data is nevertheless a cause of legitimate concern. In 2000 the UK government proposed that all communications service providers -- telephone companies, mobile companies, internet service providers, and internet hosting providers -- retain traffic data generated by their systems for period of 7 years to ensure that the data is available for law enforcement agencies. The Government worried that the data may be deleted because of privacy and business rules. After September 11 a number of European Member States moved to implement the policy of traffic data retention into national law. Few have such regimes in place and what regimes do exist are fragmented in their coverage: some only include mobile phone and landline communications data, others are comprehensive and include internet data. Some require retention periods of a few months, others for four years. Since 2003 the Council of the European Union has been working towards a harmonising measure to ensure that all Member States have a retention policy. By the time the UK Presidency began in June 2005, the Council was wavering between 1 and 4 years for retention, with disagreements on the types of data to be retained, and possibly compelling the collection of data that communications providers did not actually collect. Regimes regulating access to the data was left to national law however. After the London bombings in July the UK Presidency of the EU convened emergency meetings on combating terrorism . Data retention was on the top of the agendas. When presenting the path forward for the UK's Presidency of the EU, it called for Parliament to approve retention, identity documents, use of passenger data, and increased use of CCTV. The European Parliament rejected the Council proposal. In September 2005 the European Commission entered the fray and declared that the Council had no role to play in data retention and instead announced its own policy on retention. The Commission's proposed Directive originally restrained the retention period for mobile and telephone calls to one year and internet data for six months. Access to this data was to be restricted to terrorism and serious criminal investigations. In October 2005 the Council declared that it would call on the Parliament to approve the Commission Directive provided that the Commission Directive would meet some basic standards set out by the Council. This included a retention period of up to 2 years, while permitting even greater periods if passed by national law. If the Parliament failed to approve the measure in time, the Council announced it would reintroduce its own proposal. One of the big differences between the Council and the Commission proposals on data retention is that the Council plans leave regulations on access to be decided by national law. The Commission intended that the data would only be accessed for use in terrorism and serious criminal investigations. In this domain the European Commission has no jurisdiction, however, as it is up to the Governments of the Member States and their Council of the EU to decide on access due to the legal structure of the EU. This leads to a situation where the European Commission and the European Parliament may approve data retention for the purpose of terrorism even though the data will be accessed under countless circumstances because the Council has refused to limit the use of traffic data to combating terrorism. Put more simply: a law passed to combat terror will be used any way that national governments see fit. This is perhaps the clearest case of policy laundering, as Ministers push the European Union to adopt a policy that their own Parliaments have yet to approve. While the Justice Ministers from Member States speak in strong terms at the EU level, their actions at home do not reflect their words. Although some national parliaments have approved data retention, they are far from the majority. Even the UK Parliament has not introduced a law that requires telecommunciations service providers to retain traffic data; rather such a regime is merely voluntary and for a temporary period of time (up to one year). Very few countries have a mandatory regime, and of those who do, they have yet to enforce the law, or to apply the policy to all telecommunications. Ireland, for instance, has retention for three years, but only for telephone and mobile phone data, not for internet transactions. It is certain that if the EU agrees on a policy on retention then all Member States will have to implement a national policy. For instance, the Irish Justice Minister admitted in his own Parliament that he was awaiting the "EU cavalry" to come to his aid and when it had to do so, he was compelled to introduce a law on retention under a late amendment to terrorism legislation. Yet the Irish Government and the Minister is insisting that the European Parliament push through a retention policy with a greater ambit than Ireland's own law claiming that otherwise the EU is infringing upon the sovereignty of Ireland. |